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SUMMARY 

1.  PURPOSE*  To  provide  security  and  policy  review  on  the  document  at  Tab  l  prior  to  release  to  the  public. 

2.  BACKGROUND. 

Author:  Steve  Hadfield 

Title:  Integrating  Security  and  Software  Assurance  Concepts  and  Mindsets  in  an  Undergraduate  Computer  Science  Curriculum 
Circle  one:  Abstract  Tech  Report  Journal  Article  Speech  Paper  ( Presentation  J  Poster 

Thesis/Dissertation  Book  Other: _ __ 

Check  all  that  apply  (For  Communications  Purposes): 

[]  CRADA  (Cooperative  Research  and  Development  Agreement)  exists 

[]  Photo/  Video  Opportunities  []  STEM-outreach  Related  []  New  Invention/  Discovery/  Patent 

Description:  Invited  talk  at  the  Sofware  Assurance  Forum,  Mclean,  VA 
Release  Information: 

Previous  Clearance  information:  (If  applicable):  N/A 

Recommended  Distribution  Statement:  (Distribution  A,  Approved  for  public  release,  distribution  unlimited*) 

3.  DISCUSSION.  None. 

4.  VIEWS  OF  OTHERS.  The  Department  Research  Director  has  reviewed  this  paper  and  recommends  it  for  public  release. 

5*  RECOMMENDATION*  Sign  coord  block  above  indicating  document  is  suitable  for  public  release.  Suitability  is  based  solely  o 
the  document  being  unclassified,  not  jeopardizing  DoD  interest,  and  accurately  protraymg  official  policy. 
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Integrating  Software  Assurance  and 
Secure  Programming  Concepts  and 
Mindsets  into  an  Undergraduate 
Computer  Science  Program 

Striving  to  Achieve  the  Goals  of  the 
SEI/CERT Software  Assurance  Curriculum  Project  (Undergraduate ) 


Steve  Hadfield 

U.S.  Air  Force  Academy,  Department  of  Computer  Science 


Realization 


In  an  outcome-based  curriculum, 
some  outcomes  need  to  be  purposefully  developed  across 
courses  and  years. 
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Result 


A  retrospective,  outcome-based  look  at  an  existing 
curriculum  {Felder  &  Brent) 
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Key  Cross  Curricular  Initiative 


Security  &  Software  Assurance 
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Security  &  Software  Assurance  Initiative 
Sophomore  Year 
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Computer  Science  1  -  Intro  to  Programming 

*  Input  interpretation  validation,  array  bounds  checking 

*  Integer  overflow,  error/exception  handling,  file  I/O  issues 
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Computer  Science  II  -  Data  Abstraction 

*  Pre-  and  post-conditions,  more  advanced  debugging 

*  Testing  &  debugging  techniques,  reinforce  CS  1  topics 
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Computer  Organization  &  Architecture 

*  Data  type  overflow,  divide-by-zero,  round-off  error 

*  Stack  overflows 
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Security  &  Software  Assurance  Initiative 
JuniorYear 
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Programming  Paradigms 

■  Memory  a  Hoc  at  ion/deal  location,  termination  conditions 

*  Stack/buffer  overflows  and  protections,  type  safety 

Operating  Systems 

*  Deadlock  issues,  race  conditions,  system  calls 

-  Signals,  file  system  security 
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Databases  &  Web  Programming 

*  Defense  against  SQL  injection  attacks 
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*  Cross  site  scripting  attacks 
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Networks 

*  Secure  protocols,  wireless  encryption,  Man-in-the-Middle  attacks 
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*  Adversaria!  view  of  protocols,  network  access  control 
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Security  &  Software  Assurance  Initiative 
SeniorYear 
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Languages  Sr  Machines  (compilers  &  language  theory) 

•  Type  checking  mechanisms,  array  bounds  checking  mechanisms 

*  Translation  to  machine  language 
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Computer  Security  &  Information  Warfare 

*  Security  &  threat  models 

*  Range  of  security  strategies  and  techniques 
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Software  Engineering  1 

*  Security  requirements,  security  analysis  of  system  design,  risk  management 

*  Formal  test  plans/procedures/re  ports 

*  Integratlon/system/regression/smoke/stress/security  testing 
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Software  Engineering  11 

*  Introduction  to  Formal  Methods 

*  Reengineering  &  forward  engineering 

Software  Assurance  &  Security  for  ALL 
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Enrichment  Activities 
Defensive  Competitions 


5 


3/21/2012 


Vectors 


Professionals 

General 

Awareness 

Specialization 


Comp  Sdf  InfoSys,  Info  Tech,  MIS 
Curricular  &  pedagogical 
resources 


■  Personal  awareness  &  defense 
•  Bigger  issues -enterprise, 
national,  global 


•  Defense  is  the 'hard  job' 

•  Funding  for  developing  experts 


Questions? 


Steve  Hadfield 
Steven.Hadfield@usafa.edu 
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